Botnets, phishing and spyware

2004 in review The year 2004 in internet security will probably be best remembered as the year the profit motive became a primary driver for the creation of computer viruses. 2004 also saw several high-profile arrests, making it one of the most successful years in the fight against cybercrime with a number of high profile arrests.

Home PCs became the front line in the fight between cybercriminals and defenders as the growing use of networks of compromised machines (botnets) to send out spam or in DDoS attacks became a major security headache. Windows XP SP2, touted as Microsoft's most important advance in computer security, made its debut - the jury is still out on SP2's efficacy in defending agains botnets.

During 2004 the number of known viruses passed the 100,000 mark, according to F-secure, the anti-virus firm.

War of the worms

2004 began with a battle between the creators of three email worms - Bagle, MyDoom and NetSky - for the control of virus-infected Windows PCs. Many variants of MyDoom, which first appeared in January, launched distributed denial-of-service attacks against the likes of SCO, Microsoft and the RIAA - with mixed results. The prolific Bagle strain was thought to be a straightforward mail mailing worm when it first appeared in January. But it soon became apparent that both MyDoom and Bagle established a backdoor on infected machines that turned PCs into spam proxies. Each email worm used variants of the Mitglieder proxy Trojan to achieve this.

In February NetSky came onto the scene; it removed Bagle and MyDoom from infected Windows PCs. NetSky triggered an "arms race" between virus writing camps with the creation of multiple variants of all three worms, many of which disparaged authors from the rival camps. This viral bunfight only ended with the May arrest of German teenager Sven Jaschan, who readily confessed to creating the first versions of NetSky and a prolific internet worm called Sasser.

Sasser, took advantage of a serious Windows vulnerability involving a buffer overrun in Windows' Local Security Authority Subsystem Service, to spread widely in early May. Sasser was launched just 18 days after Microsoft issued a fix for the flaw it exploited. Like NetSky, Sasser was designed to wipe MyDoom and Bagle off infected PCs - a misguided effort with disastrous side-effects. Its aggressive scanning and capacity to cause unpatched machines to become unstable caused all sorts of grief. The operations of Sampo, Finland's third largest bank, WestPac and RailCorp in Australia, the UK coastguard and the European Commission in Brussels all had significant problems because of Sasser.

Dragnet

German police arrested Jaschan six days after the release of Sasser, following a tip-off obtained via Microsoft's Anti-Virus Reward Programme. When the snitches (Jaschan's fellow students) became suspects themselves, the promised $250,000 reward was witheld. None of this affected the spread of the worms Jaschan created, of course, and NetSky-P went on to become the most prolific virus of 2004.

On the same weekend Jaschan was arrested, police in the southern German state of Baden-Wuerttemberg arrested a 21-year-old man on suspicion of creating variants of the Agobot (AKA Phatbot) Trojans. Not much has been heard of this suspect - known only as Alex G. But the case against him could provide valuable insights into the trade in compromised PCs. Hundreds of versions of Agobot have been created and its use is intimately linked with the creation of botnets.

Police across the world mounted high profile cybercrime investigations in 2004. In the US, the Secret Service shut down groups (carderplanet and shadowcrew) alleged to have traded stolen credit card numbers online. In July, three men suspected of masterminding a cyber-extortion racket targeting online bookies were arrested in a joint operation between the UK's National Hi-Tech Crime Unit and its counterparts in the Russian Federation. The trio, who investigators reckon netted hundreds of thousands of pounds from the shakedowns, were picked up in a series of raids both in St Petersburg, and in the Saratov and Stavropol regions in southwest Russia.

Extortion is not the only motive for DDoS attacks. In August six men were charged by the Californian courts over the first case involving the use of sophisticated denial of service attacks directed against business rivals. Jay Echouafni, chief exec of Orbit Communication Corporation in Massachusetts, along with a business partner allegedly hired computer hackers in Arizona, Louisiana, Ohio, and the UK to launch computer attacks against Orbit online competitors. Echouafni skipped bail and has become a fugitive from justice.

December brought the successful end to a Scotland Yard-led inquiry into the use of the Randex Trojan in the creation of botnets. Elsewhere in 2004 Australian 419 email scammer Nick Marinellis was jailed for four years; Brazilian police made more than 50 arrests for Trojan phishing and the UK's NHTCU made several phishing-related arrests.

Once upon a time, Virus writers were motivated by notoriety, but now the profit motive is more important. The use of keylogging Trojans in phishing scams is one way they can make money. Selling access to botnets - networks of compromised PCs - is another potential money-spinner, as is spyware.

Gone phishin’

Scam emails that form the basis of phishing attacks often pose as 'security check' emails from well-known businesses. These messages attempt to trick users into handing over their account details and passwords to bogus sites. The collected details are used for credit card fraud and identity theft. First seen more than a year ago, phishing emails are becoming increasingly sophisticated. The Anti-Phishing Working Group analysts reckon fraudsters are using automated tools and botnets to ramp up attacks.

The customers of UK banks were the frequent target of phishing attacks. NatWest even suspended its online banking service to give it time to cope with one assault. In response, the banking industry came together with police to advise customers on how to avoid falling victim to the scam. A UK government initiative to promote internet security among consumers and SMEs - dubbed Project Endurance - is due to launch next year.

SP2 comin’ at ya

Microsoft's main attempts to improving internet security this year came with the shipment of Windows XP Service Pack in August. Principal additions with Windows XP SP2 include: Windows Security Centre; automatically turning on Windows Firewall; and browsing enhancements to Internet Explorer (providing far more control of ActiveX controls, for example). Less mentioned, butmore important, is revamped memory protection to prevent buffer overruns, the perennial source of so many security problems. SP2 also gave users up to date versions of IE and Outlook Express. Our reviewers weren't impressed, describing SP2 as a "missed opportunity" to improve consumer security.

Two attacks this year drove home the need for improved security in Internet Explorer. June's Download.Ject exploit and November's use of an IFRAME exploit in IE laid users of Internet Explorer open to spyware or viral infestation simply by visiting trusted websites. The IFRAME exploit was blocked by SP2, and a patch Microsoft issued for earlier Windows builds in December, but even the Download.Ject exploit prompted security clearing house CERT to advise users to consider using alternative browsers for security reasons. Meanwhile the release of Firefox in November gave IE some serious competition.

In announcing the feature set of SP2 at the RSA Conference in February, Bill Gates also lent Microsoft's support to the battle against email spam. The spam tsunami showed no signs of letting up this year. Around 80 per cent of all email is spam – and most of it is sent through infected home computers. Prosecutions have been brought under the US's CAN-SPAM Act but its doubtful it will prove to be much of a deterrent. Spamming is simply too profitable.

Mobile menace exaggerated, for now

This year saw the first viruses to affect mobiles, though none made a big splash. June saw the appearance of Cabir, the first virus to hit Symbian-based Bluetooth phones. November brought the Skulls Trojan, which made smartphone feature of Symbian Series 60 phones inoperable. Neither piece of malware spread widely and, in practice, users would have to agree to accepting infection for anything untoward to happen. The last 12 months also saw the arrival of a proof-of-concept PocketPC virus called Duts, closely followed by Brador, the first backdoor for PocketPC devices. As mobile device become more common - and their internal operation better understood - more serious threats are likely to emerge.

Every new technology innovation brings with it new types of risks. The launch of a desktop search tool from Google has spawned numerous articles about perceived security risks. But 2005 will likely to be dominated by Windows threats and the trial of virus authors arrested this year, such as Svan Jaschan.